Edited by JoeGons, 24 November 2009 - 07:32 AM.
[Closed] Found CPAX20 (alg.exe) CPAX2.exe on my system.
#1
Posted 17 November 2009 - 07:14 AM
If we could do it alone, we wouldn’t need each other.
Register to Remove
#2
Posted 19 November 2009 - 04:51 PM
If you still require help please do the following to see the condition of your machine and also please give a description of any remaining problems or symptoms you may still have please.
Please read the instructions here first: http://forums.whatth...rs_t106388.html
Post the results once done. Any problems/questions you can let me know.
~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#3
Posted 20 November 2009 - 04:47 AM
If we could do it alone, we wouldn’t need each other.
#4
Posted 20 November 2009 - 03:16 PM
Yes, you can upload that file to the following place:
Open VirSCAN or VirusTotal Online Scanner. If one site is busy or down, try the other
At the top of the page you'll see a box. Lcate the file and upload it. Post the results once done.
Try running GMER...
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
- Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
This version will download a randomly named file (Recommended) - Zip Mirror
Alternate Zip Mirror 1
Alternate Zip Mirror 2
- Close any and all open programs, as this process may crash your computer.
- Double click or on your desktop.
- When you have done this, close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
- Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
- Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
- In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
- Sections
- IAT/EAT
- Registry
- Drives/Partition other than Systemdrive (typically C:\)
- Show all (Don't miss this one!)
- Click on and wait for the scan to finish.
- If you see a rootkit warning window, click OK.
- Push and save the logfile to your desktop.
- Copy and Paste the contents of that file in your next post.
If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#5
Posted 21 November 2009 - 04:57 PM
Attached Files
If we could do it alone, we wouldn’t need each other.
#6
Posted 22 November 2009 - 10:15 AM
I'm not sure of commercial rootkit scanners and most rootkit scanners require some knowledge of the Operating System itself. Not everything it finds is "bad" or true.
Can you try this rootkit scanner?
Download and Run SysProt Anti-Rootkit
Please download SysProt Antirootkit v1.0.1.0 from one of the links below in this link and save it to your desktop.
- Please extract the SysProt.zip file to your desktop. Unzip/extract the file to its own folder by Right-clicking on it and selecting Extract All.... (Click here for information on how to do this if not sure. Win 2000 users click here.). Follow the prompts to finish extracting it.
- Open the extracted folder and double-click the Sysprot.exe program to run it. (If you are using Vista, pelase right-click and select run as administrator)
- Click on the Log tab.
- Under the Write to log box select all 7 items referring to the diagram below
- Now push the button near the bottom.
- Another window shall appear soon. Please be paitent while it collects some information.
- Once the new windows appears, please select the Scan Root Drive option.
- Now press the button.
- It will now begin to scan. Please be paitent until the scan is complete.
- Once the scan is complete, a new window will appear notifying you that is complete.
Please post/attach the contents of that log here in your next reply.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#7
Posted 22 November 2009 - 05:14 PM
If we could do it alone, we wouldn’t need each other.
#8
Posted 23 November 2009 - 07:13 AM
If we could do it alone, we wouldn’t need each other.
#9
Posted 23 November 2009 - 09:01 AM
Attached Files
If we could do it alone, we wouldn’t need each other.
#10
Posted 23 November 2009 - 05:57 PM
--
Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
- Make sure you are connected to the Internet.
- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
- On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link
Please delete the copy of DDS you currently have. Re-download it from one of those links above and save it to your desktop.
Run it and post the logs once done.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
Register to Remove
#11
Posted 24 November 2009 - 07:43 AM
Attached Files
If we could do it alone, we wouldn’t need each other.
#12
Posted 24 November 2009 - 03:15 PM
http://www.bleepingc...to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.
Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#13
Posted 24 November 2009 - 04:54 PM
If we could do it alone, we wouldn’t need each other.
#14
Posted 25 November 2009 - 12:37 PM
Yes there are a few things in the log which we can remove. Rest assured that Combofix was not attended for private uses but if you are guided and follow the instructions correctly then everything should go fine. Combofix has been used many times before and is a safe tool to use under guidance otherwise we wouldn't be telling you to run tools that are unsafe.
ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#15
Posted 25 November 2009 - 04:17 PM
I apologize for my caution.
My Archives were not ravaged.
The Log is attached.
I got really scared when it said “Deleting Desktop Folder”.
Everything was there after reboot.
What a relief!!
ComboFix 09-11-25.01 - Owner 11/25/2009 17:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.361 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ErrLog.txt
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\system32\AutoRun.inf
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.
2009-11-25 16:03 . 2009-11-25 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 12:49 . 2009-11-25 14:15 -------- d-----w- C:\Restore atapi.sys
2009-11-24 12:33 . 2009-11-24 12:33 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-24 12:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 12:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 12:32 . 2009-11-24 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-24 01:13 . 2009-11-24 01:13 54624 ----a-w- c:\windows\system32\42cAA.sys
2009-11-23 11:06 . 2009-11-23 11:06 -------- d-----w- c:\program files\Sophos
2009-11-21 20:41 . 2009-11-21 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 19:10 . 2009-11-17 19:10 34816 ----a-w- c:\windows\system32\drivers\rootrepeal1.3.3.sys
2009-11-17 16:08 . 2009-11-17 16:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-17 16:02 . 2009-11-17 16:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-17 16:02 . 2009-11-20 19:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2009-11-16 23:06 . 2009-11-18 23:17 -------- d-----w- c:\program files\ERUNT
2009-11-16 15:34 . 2009-11-16 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-11-10 14:44 . 2009-11-10 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2009-11-04 20:15 . 2009-11-04 20:15 0 ---ha-w- C:\aaw7boot.cmd
2009-11-03 20:56 . 2009-11-03 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 20:55 . 2009-11-03 20:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-03 19:32 . 2009-11-03 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 16:35 . 2009-11-03 16:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 16:35 . 2009-11-03 16:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 16:35 . 2009-11-03 16:35 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 16:35 . 2009-11-03 16:35 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 16:35 . 2009-11-03 16:35 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 15:35 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-03 14:17 . 2009-11-03 14:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 14:17 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-02 21:57 . 2007-12-04 08:59 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll
2009-11-02 21:57 . 2009-11-25 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SpamExperts
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\SpamExperts
2009-11-02 00:33 . 2009-11-02 11:49 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-10-27 14:46 . 2009-10-27 14:48 -------- d-----w- C:\RSV3 - Portuguese (Brazil)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 21:09 . 2009-05-07 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-11-24 19:16 . 2005-03-04 13:11 -------- d-----w- c:\program files\PHOTOED
2009-11-22 14:16 . 2005-02-27 15:51 -------- d-----w- c:\program files\Common Files\Lanovation
2009-11-22 14:15 . 2005-02-27 15:31 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-21 23:30 . 2008-02-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 16:20 . 2005-02-27 15:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 02:21 . 2008-10-28 15:51 -------- d-----w- c:\documents and settings\Owner\Application Data\MyHeritage
2009-11-15 17:39 . 2007-07-19 13:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 21:04 . 2009-06-13 20:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-11-09 15:21 . 2006-05-04 20:43 -------- d-----w- c:\program files\7-Zip
2009-11-03 14:17 . 2008-01-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 14:17 . 2005-09-24 15:43 -------- d-----w- c:\program files\Lavasoft
2009-11-03 12:05 . 2005-02-28 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 00:37 . 2009-03-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-24 21:27 . 2009-10-24 21:27 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000009000002i\switch.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000008f00003i\mp3enc.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000001e00002i\mp3el.exe
2009-10-23 19:39 . 2009-09-04 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-10-15 14:12 . 2009-01-29 02:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-09-30 11:41 . 2006-01-13 14:46 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:55 . 2009-09-19 23:55 7168 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\PowerISO\1000000500002i\regsvr32.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 07:47 . 2009-09-08 07:47 33205 ----a-w- c:\program files\Common Files\alg.exet
2009-09-07 14:35 . 2009-09-07 14:35 9454 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{AFDFC350-C142-4790-BE12-8357AECD028F}\_6FEFF9B68218417F98F549.exe
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-25 303180]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-04 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"StartupDelayer"="e:\program files\Startup Delayer\Startup Launcher GUI.exe" [2004-03-01 45056]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-06-13 95960]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-02-27 88363]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-18 282624]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\XSandbox\\Diskeeper Application Launcher\\13.0.3.0\\2008.12.07T11.56\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"e:\\Portable Diskeeper Pro Premier 2009 V.13.0 Build 835\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 11:35 AM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/21/2009 6:16 PM 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/21/2009 6:16 PM 4150840]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [4/18/2007 8:18 PM 55712]
S3 42cAA;42cAA;c:\windows\system32\42cAA.sys [11/23/2009 9:13 PM 54624]
S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?]
S3 ELQQIN;ELQQIN;c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe --> c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 2:39 PM 8704]
S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [5/30/2005 2:32 PM 105124]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 2:39 PM 3072]
S3 FRM;FRM;c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe --> c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe [?]
S3 JJ;JJ;c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe --> c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232]
S3 LCKAQ;LCKAQ;c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe --> c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/16/2009 10:28 AM 107904]
S3 OJMCTAV;OJMCTAV;c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe --> c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe [?]
S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?]
S3 QEDMY;QEDMY;c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe --> c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe [?]
S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [4/21/2006 5:00 PM 122256]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys --> c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys [?]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [5/13/2009 10:37 AM 33792]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/27/2005 1:26 PM 15576]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{32544452-2241-2343-2313-245211031325}]
c:\windows\winlogon.exe
.
Contents of the 'Scheduled Tasks' folder
2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 21:13]
2009-11-23 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-10-09 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
LSP: c:\windows\system32\SpamExpertsLSP.dll
TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Free Rent or Buy Calculator_is1 - c:\wheatworks\FreeROB\unins000.exe
AddRemove-Gateway Drivers and Applications Recovery - c:\program files\Gateway\HPA\GWMenu.exe UNINSTALL
AddRemove-Gateway IE Customizations - c:\program files\\Gateway\IECustom\IEProj.exe UNINSTALL
AddRemove-Panda ActiveScan - c:\windows\system32\ASUninst.exe Panda ActiveScan
AddRemove-QcDrv - c:\program files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE UNINSTALL REMOVEPROMPT
AddRemove-Sophos-AntiRootkit - c:\program files\Sophos\Sophos Anti-Rootkit\helper.exe remove
AddRemove-Tweak UI 2.10 - c:\windows\System32\mshta.exe res://c:\windows\System32\TweakUI.exe/uninstall.hta
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 17:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x836A60B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf750cf28
\Driver\ACPI -> ACPI.sys @ 0xf7429cb8
\Driver\atapi -> 0x836a60b0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,1c,d4,ea,a9,f7,82,44,8c,28,a4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,1c,d4,ea,a9,f7,82,44,8c,28,a4,\
[HKEY_USERS\S-1-5-21-220523388-573735546-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1216)
c:\windows\system32\SpamExpertsLSP.dll
- - - - - - - > 'explorer.exe'(2072)
c:\windows\system32\WININET.dll
c:\program files\Gateway Utilities\inkpeek.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Norton AntiVirus\SAVScan.exe
c:\windows\System32\snmp.exe
e:\uphclean\uphclean.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Messenger\msmsgs.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-11-25 17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 21:50
Pre-Run: 1,692,794,880 bytes free
Post-Run: 4,874,072,064 bytes free
- - End Of File - - 5D9D4EF9ECDB0C0D05717983715B715F
If we could do it alone, we wouldn’t need each other.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users